SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Adventures with 7.2
From:
jdow <[log in to unmask]>
Reply To:
jdow <[log in to unmask]>
Date:
Tue, 3 Jan 2017 20:54:38 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (73 lines) 
On 2017-01-03 14:31, Tom H wrote:
> On Tue, Jan 3, 2017 at 3:11 PM, jdow <[log in to unmask]> wrote:
>> On 2017-01-03 09:56, David Sommerseth wrote:
>>>
>>> Remember that firewalld provides an API over D-Bus for dynamic
>>> firewall updates, so this is kind of to "seal" the configuration
>>> without breaking any component depending on manipulating the firewall
>>> as the system is running. NetworkManager and libvirt are two
>>> components which adjusts the firewall on-the-fly, depending on which
>>> network you're connected to or which VMs have been started, and so on.
>>
>> That still leaves me mumbling and led me down a midget rabbit hole.
>> The "iptables" command is 777 root root system_u:object_r:bin_t:s0;
>> but, that's OK. It's a link - to xtables-multi, which is rwxr-xr-x.
>> root root system_u:object_r:iptables_exec_t:s0. Waitaminit says I to
>> meself. (or is it me to iself? Whatever) Let's give that a try.... The
>> results are reassuring:
>> ===8<---
>> [jdow@whereever ~]$ xtables-multi iptables -L -v
>> iptables v1.4.21: can't initialize iptables table `filter': Permission
>> denied (you must be root)
>> Perhaps iptables or your kernel needs to be upgraded.
>> ===8<---
>> I guess the ancient philosophy of one task one command is passe' and
>> now a monstrosity like xtables-multi finds itself masquerading as
>> iptables and about a dozen other things.
>
> /usr/sbin/iptables-restore
> /usr/sbin/iptables-save
> /usr/sbin/iptables
> /usr/sbin/ip6tables-restore
> /usr/sbin/ip6tables-save
> /usr/sbin/ip6tables

Notice the command I issued. I started, of course, with something like 
xtables-multi -L -v as a first approximation. It coughed up a list of some 14 
different things it can be called as. That was not reassuring since I called it 
as a user rather than root. Then I tried the command listed. If failed but the 
message was informative enough. I, of course, escalated to prepending "sudo " to 
the command, giving my password as usual, and admired the results.

> are symlinks to "/usr/sbin/xtables-multi" because it's a multi-call
> binary, like busybox.

I was simply bemused that the old UNIX philosophy of one small task one command 
with results chained into the next command ad nauseum has finally been 
discovered to be silly and furthermore good sense is catching on past busybox. 
(I have the same attitude about "goto". (And despite dogma even at UniSys many 
see Dijkstra's pontification on the subject as flawed er and harmful. I live 
with one such.) {^_-}

> There are others.
>
> Off the top of my head, dnsdomainname, domainname, nisdomainname,
> ypdomainname are symlinks to hostname; halt, poweroff, reboot,
> shutdown are symlinks to systemctl; view is a symlink to vi; etc.

I hadn't dug that far. But, again, it makes sense in a weird sort of way. It is 
really an ultimate reuse of code, right? {^_-}

> It's normal for "iptables" to fail if you call it as jdow; but if you
> have polkit installed, "pkexec iptables" might work (depending on your
> polkit policies; "sudo ..." and "su -c ..." will work if you're
> authorized).

But of course. I've been using sudo for a very long time. (I don't remember if I 
did it with the real SVR4 machine I had. But certainly I've been using it from 
the first RH 5 or so - not RHEL or Fedora, Hurricane if my memory works tonight.

If sudo didn't work I'd have made a scene about it, probably.

{^_^}

ATOM RSS1 RSS2